Localhost detour from public to private networks: Vulnerabilities and mitigations

Dor Israeli; Alon Noy; Yehuda Afek; Anat Bremler-Barr

doi:10.1007/s12095-024-00750-x

Localhost detour from public to private networks: Vulnerabilities and mitigations

Dor Israeli, Alon Noy, Yehuda Afek, Anat Bremler-Barr

Tel Aviv University

Research output: Contribution to journal › Article › peer-review

Abstract

This paper presents a new localhost browser based vulnerability and corresponding attack that opens the door to new attacks on private networks and local devices. We show that this new vulnerability may put hundreds of millions of internet users and their IoT devices at risk. We demonstrate the viability of the attack on a real product, "Folding@Home", of which we did a responsible disclosure of the specific vulnerability. Following the attack presentation, we suggest three new protection mechanisms to mitigate this vulnerability, across the different entities of the attack (broswer, localhost server, and attacked IOT). This new attack bypasses recently suggested protection mechanisms designed to stop browser-based attacks on private devices and local applications (Chromium and Rigoudy 2021, Afek et al. 2019), of which we also did a responsible disclosure.

Original language	English
Pages (from-to)	597-620
Number of pages	24
Journal	Cryptography and Communications
Volume	17
Issue number	3
DOIs	https://doi.org/10.1007/s12095-024-00750-x
State	Published - May 2025

Keywords

Browser based attack
IoT
Localhost
Private network

All Science Journal Classification (ASJC) codes

Computer Networks and Communications
Computational Theory and Mathematics
Applied Mathematics

Access to Document

10.1007/s12095-024-00750-x

Cite this

@article{72e9249532c748c0a3b1312c11ba17cc,

title = "Localhost detour from public to private networks: Vulnerabilities and mitigations",

abstract = "This paper presents a new localhost browser based vulnerability and corresponding attack that opens the door to new attacks on private networks and local devices. We show that this new vulnerability may put hundreds of millions of internet users and their IoT devices at risk. We demonstrate the viability of the attack on a real product, {"}Folding@Home{"}, of which we did a responsible disclosure of the specific vulnerability. Following the attack presentation, we suggest three new protection mechanisms to mitigate this vulnerability, across the different entities of the attack (broswer, localhost server, and attacked IOT). This new attack bypasses recently suggested protection mechanisms designed to stop browser-based attacks on private devices and local applications (Chromium and Rigoudy 2021, Afek et al. 2019), of which we also did a responsible disclosure.",

keywords = "Browser based attack, IoT, Localhost, Private network",

author = "Dor Israeli and Alon Noy and Yehuda Afek and Anat Bremler-Barr",

note = "Publisher Copyright: {\textcopyright} The Author(s) 2024.",

year = "2025",

month = may,

doi = "10.1007/s12095-024-00750-x",

language = "الإنجليزيّة",

volume = "17",

pages = "597--620",

journal = "Cryptography and Communications",

issn = "1936-2447",

publisher = "Springer Publishing Company",

number = "3",

}

TY - JOUR

T1 - Localhost detour from public to private networks

T2 - Vulnerabilities and mitigations

AU - Israeli, Dor

AU - Noy, Alon

AU - Afek, Yehuda

AU - Bremler-Barr, Anat

N1 - Publisher Copyright: © The Author(s) 2024.

PY - 2025/5

Y1 - 2025/5

N2 - This paper presents a new localhost browser based vulnerability and corresponding attack that opens the door to new attacks on private networks and local devices. We show that this new vulnerability may put hundreds of millions of internet users and their IoT devices at risk. We demonstrate the viability of the attack on a real product, "Folding@Home", of which we did a responsible disclosure of the specific vulnerability. Following the attack presentation, we suggest three new protection mechanisms to mitigate this vulnerability, across the different entities of the attack (broswer, localhost server, and attacked IOT). This new attack bypasses recently suggested protection mechanisms designed to stop browser-based attacks on private devices and local applications (Chromium and Rigoudy 2021, Afek et al. 2019), of which we also did a responsible disclosure.

AB - This paper presents a new localhost browser based vulnerability and corresponding attack that opens the door to new attacks on private networks and local devices. We show that this new vulnerability may put hundreds of millions of internet users and their IoT devices at risk. We demonstrate the viability of the attack on a real product, "Folding@Home", of which we did a responsible disclosure of the specific vulnerability. Following the attack presentation, we suggest three new protection mechanisms to mitigate this vulnerability, across the different entities of the attack (broswer, localhost server, and attacked IOT). This new attack bypasses recently suggested protection mechanisms designed to stop browser-based attacks on private devices and local applications (Chromium and Rigoudy 2021, Afek et al. 2019), of which we also did a responsible disclosure.

KW - Browser based attack

KW - IoT

KW - Localhost

KW - Private network

UR - http://www.scopus.com/inward/record.url?scp=105003020810&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/record.url?scp=85208812171&partnerID=8YFLogxK

U2 - 10.1007/s12095-024-00750-x

DO - 10.1007/s12095-024-00750-x

M3 - مقالة

SN - 1936-2447

VL - 17

SP - 597

EP - 620

JO - Cryptography and Communications

JF - Cryptography and Communications

IS - 3

ER -

Localhost detour from public to private networks: Vulnerabilities and mitigations

Abstract

Keywords

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this